We have a scenario where we need to have either a 2 level or a 3 level approval based on user’s department. Example:
User Belongs to Department X - Manager + Department Owner (populated in identity attribute) + Governance Group
User Belong to Department Y - Manager + Governance Group
The challenge we are facing is, using the dynamic approval trigger we are unable to add the department owner in between the two approvers. It is adding it after the governance group and we can only assign one dynamic approval from this trigger.
Is there a way to dynamically assign two approvals from a single event trigger?
The Access Request Dynamic Approval Trigger, to my knowledge, only allows for a “single” “additional” approver in the response. i.e. The approvers specified in the access item is set in stone, in that order, unwavering.
To do what you need, you need to configure the following:
Approval scheme:
Manager
Identity: Level2Approver (a dummy identity)
Governance Group
The purpose of the Level2Approver dummy identity is that it can now serves the purpose of being a conditional auto-approver & forwarder…with the help of, say, PowerShell SDK.
On a periodic / scheduled basis, the PowerShell will be asking “Is there any access request approval pending for Level2Approver?”. The script then determine if the approval needs to be forwarded to Department Owner (case 1 of yours, or, auto-approved (case 2 of yours). In both cases (if approved by department owner, or auto-approved), the Governance Group will be the last approver of the approval scheme.
There might be a more elegant solution…let’s see what others might come up with.
Alternative to the PowerShell, of course, is the Workflow Trigger of “Access Request Decision”…specifically, you want to trigger on Manager approved access request…then carry out the similar logic as mentioned above within the context of ISC Workflows.
Thanks @David_Norris,
It solves few of the scenarios for us. But we identified there is also a scenario where the dynamic approver could be a governance group and since we cannot forward the requests to a governance group, we cannot use this approach.
We trying to leverage forms and see if we can achieve some solution.
@gvscdeep1 We wanted to do something similar, but that wasn’t possible as Approval can’t be dynamic and can’t be reassigned to groups.
The only way we managed to “do” it is by creating two instances of the same role with the different approval processes, and we have configured Segments, the first one is visible for the people in that Department and the second one is visible for other that aren’t in that department.
It’s not super practical as the Role Update might be tricky, but with a lil bit of scripting using SDKs it can be acceptable.
I’m interested if someone found a cleaner way around that.